Security Disclosure (did not fix) - Astbury Marsden

Earlier this year, I was approached by a recruiter from another specialist IT, Corporate Risk, and Cyber Security recruitment company - Astbury Marsden. I wasn’t interested in a job (I’m very happy where I am!) but out of habit, checked their website - only to find a security issue!

Unfortunately, Astbury Marsden wasn’t using a secure connection on it’s website - exposing personally identifiable information (user names, emails, cover letters, CVs, telephone numbers, and passwords) on insecure networks.

As of this post going live, they still haven’t fixed this, despite an initial acknowledgement of the issue and repeated contact.

This is the second cyber security recruitment company I’ve blogged about not using a secure connection on their pages, and it’s not the last (I have a third disclosure in progress at the moment).

It’s now been 187 days since I initially disclosed this issue to Astbury Marsden and it’s not been fixed yet - over twice what my Disclosure Policy says I will publicly disclose after!

Disclosure Timeline:

  • 2017-Feb-24 Reported issue to Astbury Marsden.
  • 2017-Feb-24 Issue acknowledged by Astbury Marsden.
  • 2017-May-25 90 days since initial disclosure.
  • 2017-July-13 140 days since disclosure - reminder sent to Astbury Marsden. No reply.
  • 2017-Aug-30 187 days since initial disclosure. Public disclosure of issue on blog.

Affected Pages:

  • http://www.astburymarsden.com/login/
  • http://www.astburymarsden.com/contact/quick-enquiry.aspx
  • http://www.astburymarsden.com/login/register.aspx
  • http://www.astburymarsden.com/login/forgotten.aspx

Images:

  • Login page - email and password Login page

  • Enquiry page - first name, last name, company, office, email, telephone, comments Enquiry page

  • Register page - first name, last name, telephone, email, password, CV (attachment) Register page

  • Forgotten password page - email Forgotten password page

Written on August 30, 2017